Edit

Share via

Register a SAML app in your external tenant (preview)

  • Article

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

In external tenants, you can register applications that use the OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) protocol for authentication and single sign-on. The app registration process is designed specifically for OIDC apps. But you can use the Enterprise applications feature to create and register your SAML app. This process generates a unique application ID (client ID) and adds your app to the App registrations, where you can view and manage its properties.

This article describes how to register your own SAML application in your external tenant by creating a non-gallery app in Enterprise applications.

Note

The following capabilities aren't supported for SAML apps in external tenants:

  • Preintegrated SAML applications in the Microsoft Entra gallery aren't supported in external tenants.
  • The availability of the Provisioning tab in the SAML app settings is a known issue. Provisioning isn't supported for apps in external tenants.
  • IdP initiated flow isn't supported.

Prerequisites

Create and register a SAML app

  1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu and switch to your external tenant from the Directories menu.

  3. Go to Identity > Applications > Enterprise Applications (Preview).

  4. Select New application.

  5. Select Create your own application.

    Screenshot of the Create your own application option in the Microsoft Entra Gallery.

  6. On the Create your own application pane, enter a name for your app.

    Note

    You might see a gallery app selector, but you can disregard it as gallery apps aren't supported in external tenants.

  7. Select "(Preview) Integrate any other application you don't find in the gallery (Non-gallery)".

  8. Select Create.

  9. The app Overview page opens. In the left menu under Manage, select Properties. Switch the Assignment required? toggle to No so that users can use self-service sign-up, and then select Save.

    Screenshot of the Assignment required toggle.

  10. In the left menu under Manage, select Single sign-on (Preview).

  11. Under Select a single sign-on method, select SAML (preview).

    Screenshot of the Single sign-on method tile.

  12. On the SAML-based Sign-on (Preview) page, do one of the following:

    • Select Upload metadata file, browse to the file containing your metadata, and then select Add. Select Save.
    • Or, use the Edit pencil option to update each section, and then select Save.

    Note

    Make sure your SAML app uses your ciamlogin endpoint, for example domainname.ciamlogin.com, instead of login.microsoft.com. If you're downloading the federation metadata URL, it should be in the form domain.ciamlogin.com/<tenantid>/federationmetadata/2007-06/federationmetadata.xml?appid=<appid>.

  13. Select Test, and then select the Test sign-in button to see if single sign-on is working. This test verifies that your current admin account can sign in using the https://login.microsoftonline.com endpoint.

    Screenshot of the test single sign-on option.

    You can test external user sign-in with these steps: